Malicious PDF — malware analysis report

Static analysis result for SHA-256 39cf9e933d70f2c6…

MALICIOUS

PDF

90.1 KB Created: 2021-10-05 20:11:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: bdc015af2e6687c6d85e6637ef6350d3 SHA-1: 9a4e9cdcfc0ddf9c351837b5b64cddee4a34d8a7 SHA-256: 39cf9e933d70f2c68445c48f10ac544599ad47bfe268bfc57fcfcbdf8c112493
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a high likelihood of malicious intent. It contains embedded JavaScript and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting, suggesting it functions as a link farm. The primary purpose appears to be directing users to potentially harmful external sites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7885

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=epistasis+examples+in+humans PDF link annotation
    • https://prana.video/wp-content/plugins/super-forms/uploads/php/files/0dhhld27ab72q7olfufnvknugu/fowumarelibumat.pdfIn PDF document text
    • http://silverspringabw.com/uploads/files/penixipokolijibenigi.pdfIn PDF document text
    • http://1night2daytour.com/ckupload/files/94101776049.pdfIn PDF document text
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/133d1688d042c80ee65e77507c864014/54852349524.pdfIn PDF document text
    • https://medsplus.us/admin/images/file/69602699157.pdfIn PDF document text
    • http://addon-colsman.somantec.net/ckfinder/userfiles/files/dujevepomelov.pdfIn PDF document text
    • http://lumieye.com/userData/ebizro_board/file/sedixipagaw.pdfIn PDF document text
    • https://lanjutpt1.com/contents/files/mibixesasajefuno.pdfIn PDF document text
    • https://smartstone.ca/userfiles/files/jerut.pdfIn PDF document text
    • http://thekitchendesignstudio.org/uploads/files/javuzemezelisi.pdfIn PDF document text
    • https://isigakizima.net/img/tmp/file/73415851423.pdfIn PDF document text
    • http://orosweb.hu/userfiles/file/rugazozeladaguwalosizer.pdfIn PDF document text
    • http://www.oomewatersport.nl/upload/files/55935104173.pdfIn PDF document text
    • http://cathyourhair.nl/js/ckfinder/userfiles/files/zopofogexijotuni.pdfIn PDF document text
    • https://yomadesign.com/userfiles/Proj_Name/files/zatavaxefud.pdfIn PDF document text
    • https://discovercefalu.it/_data/images/file/dosiwuzugefemuzogowa.pdfIn PDF document text
    • http://djk-winkel.de/images/uploads/file/11762482345.pdfIn PDF document text
    • http://www.hypnotiseur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1615a24ad3219c---fonaza.pdfIn PDF document text
    • https://nuevocoach.co.uk/wp-content/plugins/super-forms/uploads/php/files/ac3b38d0f0efb6757245e02b198a1245/sifazisidigofekewikex.pdfIn PDF document text
    • https://viadagio.be/userfiles/file/fagipefawosebudogepi.pdfIn PDF document text
    • http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/161440b90d70d2---64098685030.pdfIn PDF document text
    • https://comptables-publics.fr/userfiles/file/9782738398.pdfIn PDF document text
    • https://tranthachcaodanang.com/uploads/image/files/wapofexanebivezipijibifo.pdfIn PDF document text
    • https://rwd1.thadv.com/upload/files/35925964255.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014e99.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14E99 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.